Continuous Engagement in Cyberspace

By Alan W. Dowd, ASCF Senior Fellow

JANUARY 2019 — U.S. Cyber Command (CYBERCOM) was elevated to full combatant-command status last spring, joining other regional and functional combatant commands such as European Command and Special Operations Command. And last summer the Pentagon authorized CYBERCOM to carry out “constant, disruptive” operations against adversary computer networks in order “to disable cyberweapons before they can be unleashed,” according to published reports. Given the scale and number of cyberattacks against America’s swath of cyberspace, the move to stand up and unfetter CYBERCOM is long overdue.

Cyberattacks targeting U.S. citizens, allies, institutions, interests and infrastructure are happening so frequently that it’s nearly impossible to keep track of the onslaught. But here’s a list of some of the worst attacks.

Russia
Since March 2016, according to the Department of Homeland Security, “Russian government cyber actors…targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” Russia’s cyber-soldiers at one point even gained the ability to disable America’s power grid.

The risks posed by such infrastructure intrusions and attacks are very real. Just ask the people of Ukraine. In 2015, Ukraine endured “the first blackout caused by a cyberattack,” when eight Ukrainian utilities were hit by a malware attack emanating from Russia. The attack left 80,000 people without power—in the dead of winter. Related attacks crippled the network at Kiev’s main airport.

Moreover, a decade ago, Russia launched “Web War I” against NATO member and U.S. ally Estonia—crippling Estonia’s communications infrastructure; targeting the nation’s mobile-phone network, 9-1-1 equivalent and largest bank; and knocking out government websites.

Russia’s interference in the 2016 U.S. presidential election was enabled by hacks into the Democratic National Committee’s computer network. As DNI Dan Coats explains, Russia is using cyber-weapons to carry out “hack-and-leak influence operations, distributed denial-of-service attacks, and false flag operations” aimed at “degrading our democratic values and weakening our alliances.”

China
According to a U.S.-China Economic and Security Review Commission study, China’s use of “computer network exploitation activities to support espionage has opened rich veins of previously inaccessible information that can be mined both in support of national-security concerns and, more significantly, for national economic development.”

Specifically, Beijing has used cyberattacks to infiltrate subcontracting firms and systems related to the development of the F-35 and C-17. Beijing exploited cyberspace to gain “full functional control over networks at the Jet Propulsion Laboratory,” according to an investigation conducted by the U.S.-China Economic and Security Review Commission. And China has launched “spearphishing” attacks—a tactic using email that appears to be from a trusted source to gain access to a target’s computer—against Westinghouse Electric, Alcoa, Allegheny Technologies Incorporated and U.S. Steel.

Gen. Keith Alexander, former head of CYBERCOM, calls China’s cyber-siege of the United States “the largest transfer of wealth in history.”

Equally worrisome, China has penetrated the Office of Personnel Management and compromised the personal, financial and employment data of 21.5 million Americans. U.S. officials describe it as “the most devastating cyberattack in our nation’s history.” With Beijing holding all that personal information on current and former federal employees, the worst may be yet to come.

North Korea
North Korea’s “DarkSeoul” attacks targeted and destroyed 32,000 computers at South Korea’s largest banks and broadcasting companies. “The true intention of the DarkSeoul adversaries,” according to McAfee, was to “disrupt South Korea’s military and government activities.”

Iran
Iranian cyberattacks against the U.S. have stolen intellectual property from 144 U.S. universities and 36 U.S. companies, including 11 tech companies and two banks, Reuters reports. And Iran’s Shamoon computer virus destroyed 30,000 computers supporting the Saudi oil industry.

Response
If our enemies were conducting these sorts of attacks against U.S. territory, military bases or physical facilities, the American people and their elected representatives would recognize that we are under attack and demand a military response. But since these attacks are confined to that invisible realm of terabytes and code and identities, rather than the realm of blood and bullets and bombs, we somehow overlook this new form of warfare. That mindset must change, and CYBERCOM is leading the way.

“Achieving superiority in the physical domains in no small part depends on superiority in cyberspace,” CYBERCOM explains, adding in an unclassified report that America’s cyber-soldiers are now “continuously engaging and contesting adversaries and causing them uncertainty wherever they maneuver.” This strategy of “continuous engagement” imposes “strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks,” CYBERCOM bluntly concludes.

In short, Washington is finally heeding the counsel of Gen. James Cartwright, former vice-chairman of the Joint Chiefs of Staff, who argued a decade ago that America must “apply the principles of warfare to the cyber domain.” More recently, he has suggested that Washington may need “to do something that’s illustrative” in cyberspace to signal America’s foes.

In Russia, CYBERCOM could use its newfound authorities and growing capabilities to undermine support for Putin inside Russia by embarrassing him and/or creating doubts about the competence of his regime. For instance, it’s not difficult to imagine the U.S. executing a cyberoperation that turns Putin’s stage-managed elections into a full-blown farce: returns showing Leonid Brezhnev finishing second or Czar Nicholas II winning a few oblasts or no one at all winning. Further up the ladder, America’s cyber-soldiers could temporarily turn off the Internet in Moscow, zero-out the off-shore accounts of his oligarch cronies, or disable the banks and mobile-phone system in Crimea, just as Putin did in Estonia. Putin would get the message.

In China, America’s cyber-soldiers could turn the Internet on, using cyber-tools to create cracks and doorways in the Great Firewall of China, thus allowing Xi’s subjects to share information and ideas. Further up the ladder, the Pentagon, NSA and CIA could use cyberweapons to cut off the illegal “Made in China” islands in the South China Sea from command and control in Beijing; disable or scramble China’s information networks in the South China Sea; implant bugs or backdoors in the schematics and other intellectual property China has stolen from U.S. defense contractors, and then activate those digital timebombs to yield defective military hardware for the PLA.

In 2013, Gen. Martin Dempsey, who was Joint Chiefs chairman at the time, mentioned “cyberwarfare” and “electronic attack” as key to protecting the U.S. from the mushrooming missile threat. We now know that the Obama administration secretly launched cyberoperations around that time targeting North Korea’s illicit missile program. “Soon, a large number of the North’s military rockets began to explode, veer off course, disintegrate in midair and plunge into the sea,” as the New York Times reports. One North Korean missile, which had enjoyed a solid test record, began to see failure rates of 88 percent, the Times notes. The flurry of missile mishaps reportedly led Kim Jong Un to order investigations into U.S. sabotage—and executions of some of his most senior military aides. “Disrupting their tests,” according to former Defense Secretary William Perry, is “a pretty effective way of stopping their ICBM program.” And as we have seen, these disruptive cyberoperations have a beneficial second-order effect: inciting Kim’s ire to the point of eliminating his own military commanders and rocket scientists.

CYBERCOM and other U.S. agencies should dial up this “left-of-launch” cyber-campaign and expand it into other aspects of Kim’s military—and into other hostile regimes.

Iran is an ideal candidate in this regard, given its recent spasm of illegal missile tests, each increasing Tehran’s range and reach. A left-of-launch cyberoperation against Iran’s missile enterprise can be an effective way to delay the development of long-range Iranian capabilities—and destabilize its military. We know that Iran was the target of a massive and sophisticated cyberoperation known as “Olympic Games” that began under the Bush administration and continued under the Obama administration. A key element of Olympic Games was the Stuxnet computer virus, which became the first cyberattack “used to effect physical destruction,” as former CIA director Michael Hayden has explained. According to Ralph Langner, an expert in industrial computer systems, Stuxnet “was as effective as a military strike,” setting Iran’s nuclear program back years. Hopefully, CYBERCOM is using its new authorities to develop and deploy the next generation of Stuxnet against Iran’s terrorist tyranny.

CYBERCOM must also keep ISIS, al Qaeda and other terror groups on the defensive by using cyber-enabled weapons to exacerbate fissures within the jihadist movement and pit them against each other; prevent jihadist groups from spreading their message and attracting new recruits to the ranks; and publicly counter their claims.

Cyber-Defense Doctrine
These are not fanciful concepts. In addition to Stuxnet and the left-of-launch ops, we know the U.S. has conducted these sorts of cyberoperations in the recent past: Published reports indicate that U.S. assets have hacked into the operations and hardware outputs of Chinese telecommunications Huawei and ZTE. Beijing itself claims that U.S.-based entities have “directly controlled 1.18 million host computers in China.”

North Korea’s swath of the Internet went dark for a period of time in 2014. Doubtless, this was the result of a U.S. retaliatory cyber-strike following Pyongyang’s hacking of Sony.

We also know that under an operation codenamed “Nitro Zeus” the U.S. has developed cyberweapons capable of disabling Iran’s air defenses, communications capabilities and power grids. Hopefully, CYBERCOM is expanding and tailoring these sorts of cyberweapons systems to Russian, Chinese and North Korean defenses.

Regardless of when or if Washington decides to fire a cyber-shot across the bow of Beijing or Moscow, policymakers need to put hostile regimes on notice that the U.S. will make no distinction between kinetic attacks and cyberattacks on America’s interests and infrastructure. The template is President Trump’s warning about attacks on U.S. space assets: “Any harmful interference with or an attack upon critical components of our space architecture that directly affects this vital U.S. interest,” the president declared in 2017, “will be met with a deliberate response at a time, place, manner and domain of our choosing.” A similar statement about America’s cyberspace assets and interests would assist warfighters in their deterrence mission.